Usually for budget / pricing reasons, some orgs decide to engage a firm with an annual pen test of significant scope (e.g., all ingress / egress, RAS, AD, VoIP, IPS, SIGs, ERP, EHR / EMR, SaaS, WLAN).
However, this approach increases risk of scope, schedule, resource availability, and budgeting from a project management standpoint.
Stronger orgs, with enough resources, tend to move away from the once and done approach due to the need to assess many vectors, a need for timely and regular remediation actions, and for security compliance purposes (i.e., PCI).
No comments:
Post a Comment